Be API WordPress agency | News | GDPR | GDPR: How to maintain a register of personal data processing?

GDPR: How to maintain a register of personal data processing?

Published on

25 March 2021

Eric de GERMOND

The GDPR (General Data Protection Regulation) has been in force since May 2018. As part of your compliance efforts, you will encounter an important document, the « Registry of processing activities ». This register shall be maintained by: Article 30 GDPR.

This register is the successor of the « CNIL Declaration » which was mandatory before the GDPR came into force. Thus, one follows on from a principle that already existed in the French Computer Law and Freedoms of 1978.

It is true that the old regulation was more or less respected and that everyone referred to exceptions. In any case, now the regulations are European and CNIL is precisely monitoring their implementation. For example, in 2019, CNIL carried out 300 inspections, more than half of which were carried out on-site.

It is therefore essential to be in a Compliance with GDPR.

The « Registry of processing activities » is a important document conformity. In this article, we suggest that you spend some time on this document to help you understand how to implement it.

Follow the guide!

1 – Treatment register, Quésako?

The register of processing activities is a document that lists the treatment of the Personal data you do. Here are two links to get definitions of these core concepts for the GDPR:

Objectives and challenges

The objective of the Register is to provide an overview of what you do with personal data and to collect all the information associated with these treatments.

To establish this register, you will have to ask yourself questions, you will need to gather information, describe (or develop) procedures ...

Don't be afraid, it's also an opportunity, especially if you're not an GDPR expert, because working on your « Registry of processing activities » is a good way organize your compliance process GDPR. The Registry will require you to document your approach and will help you ask the right questions.

Why should this document be prepared?

From a practical point of view, in case of leakage or loss of data, the processing register provides the necessary information to assess the gravity of the situation, setting up parades or solutions, informing and giving advice to the persons concerned to deal with the situation.

The registry participates in the documentation of your compliance. For more information on this document you can visit the official CNIL page:

Finally, it is also one of the documents you will have to produce in case of control of the authority. How's a CNIL check going?

2. Keep a register, but where to start?

One register of processing activities, to What does it look like and where can we find it?

Model proposed by CNIL

CNIL is proposing a model treatment register. Simplified registry model [ ODS-51.23 KB]

Tab Screenshot « Registry form » of the CNIL document

The cells in this table are commented on to help you fill in and complete fields that allow you to describe your organization, identify and list the treatments you perform and for each treatment, detail the implementation context specifying:

The actors, their contact details (Responsible for processing / subcontractor(s) / DPO / etc.)
Purpose(s) of the processing performed
The types of personal data concerned
The categories of persons concerned
Recipient(s)
Security measures implemented to protect this data
Non-EU transfers of this data – associated recipients.

3 – Do I have to keep a record of the treatments?

The CNIL response is as follows:

The obligation to keep a register of processing concerns all bodies, both public and private, and regardless of their size, as long as they process personal data.
CNIL website – cnil.fr

That way, the tone is set! We will try to clarify a little.

Derogation for enterprises with less than 250 employees

Companies with less than 250 employees benefit from a derogation in respect of record keeping. But AttentionThis derogation does not apply in many cases:

A company with less than 250 employees MUST maintain a register for:

non-occasional processing (e.g. payroll management, client/prospect management, suppliers, etc.);
treatments that may pose a risk to the rights and freedoms of individuals (e.g. geolocation systems, video surveillance, etc.)
processing of sensitive data (e.g. health data, infringements, etc.).

For example, a company with less than 250 employees MUST maintain a SAUF register for occasional treatments of the Non-sensitive data and little risk to people.

Distinction between the « Treatment Officer » and « Subcontractor »

The requirements when keeping a processing register is not the same depending on whether you are « Treatment Officer » or « Subcontractor ».

This distinction deserves clarification. I will take the example of a company that I know well: the web agency Be API whose mission is to carry out web projects under WordPress for its customers.

In fact, we have both statutes vis-à-vis GDPR « Treatment Officer » AND « Subcontractor » :

Be API is « responsible for processing »

For all personal data that are processed by Be API SARL for its operation. These are the data of the agency's employees, the customer file, the prospect files (direct, by the site, by the RS ...), the supplier file, etc.

We also have a number of subcontractors that allow us to carry out our business and host this data: CRM, accounting/management tool, pay tool etc.

We therefore have an obligation to establish and maintain a salary register for this activity (these activities).

Be API is « subcontractor »

We have the status of subcontractor for personal data that are in our customers' web projects.

For the creation or redesign of a site, the customer will communicate to us for example the list of newsletter subscribers or List of « client accounts » which must be imported into the new site.

For a web project in RUN phase (maintenance), we will make copies of the site on our working environments (development or test environment) and therefore potentially make copies of the personal data files that are in these sites.

We will therefore process personal data « on behalf of » Our clients. So we are « subcontractor ».

If you are also a subcontractor (or if you work with a subcontractor) know that this status entails specific obligations to GDPR. The liability of the subcontractor may be incurred in the event of a breach. To find out all about this status, CNIL produced a document dedicated to subcontractor status.

In our role as web agency, we have produced a register of processing activities for our subcontracting activity « in general ». It describes the Agency's procedures for handling and managing the personal data issues of our clients' projects.

We also offer some clients to create a register of processing activities that is specific to this client's project(s). It seems to me that this goes beyond our obligations as a subcontractor, but it allows us to help and accompany this client in establishing his own processing register. The customer can thus use the processing register which is made by Be API (subcontractor) as « starting document » to carry out its own processing register (of controller). Save time for him.

4 - And once it's done?

One hundred times on the job hand over your work!

Remember that GDPR compliance is a process. It is not acquired once and for all. Once you have produced a register of treatments (or treatment records for our case), you must provide for rereading and updating procedures of these documents. You must also document these procedures.

Finally know that in case of leakage or loss of data. This is the document you will have to provide to the supervisory authority.

If you need inspiration

Finally, if you want to see a record of completed processing activities, here is the CNIL. Of course, CNIL is a regulated body ... it must therefore produce a register of processing activities for its own activity.

This is obviously an example. It is accessible here.